Received: by 10.192.165.148 with SMTP id m20csp1287368imm; Wed, 2 May 2018 18:24:32 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrSpKI2pPO7mdl7QUR9GbLKsn/3KlHEGHYeLyzDusTSSmBtKJcIeKpmbRRZ8HdC0ZWidXne X-Received: by 10.98.10.137 with SMTP id 9mr9464490pfk.112.1525310672862; Wed, 02 May 2018 18:24:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525310672; cv=none; d=google.com; s=arc-20160816; b=YSAzVWnK/StEwe+FiB70/qd8laKYO33RqT2UziRn3QWYJuQv26SeklA48IMNuoFDLn p3HjJKBGpGGNGgbTzE63+jy083XQRa25bNZmIkmUY1X7hCsGcMOa1IgxQV9seC5MU/mc 6BVb4ZKUQFTP6E1TVZaW5Ve77FkrFuFUy8qva3gefbIlRV9iXI1o2y729LVIrx1783th +gmaqTtJvCNXTqMItecRNZtqjRJ2/8+1RoUPDgb99g7V1Pba6RDw8i0v8wPK4w/UiJ1m IJti0WTQkC6CNjTkkqt/JBZXAsMwcLohs6+JSb58Lb8WXTntVbq7ilyE/+Y7vH8CEzCO mr5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=L/pUePgTWPscW1q23THymCa+Tv0e2symvd75lqihAqM=; b=daCZLUGrBmel+xuzJevbanWuOotCkDMcqjhEEsQPJbD21RqFVMecmsvWrw99rylQs3 tCuTWpUP5P0VOnKQ3EMu1+A+ZOzZtSU2VVqlh2RSw1g3a3cH9LvPv1Q+3mxfy8KGkHO1 YMPlt2KFrrEC7HdClL+zTR4W2nO5s0i9zfFBivHFwXnYYgQA8/+KnWukKpjHifRrL8RX DiuUyJDoWRT5b/HMrqzayt/TYP5hlYPJgHnyCkKsjzN3iRZ+pMiaZIP/NVHH/ZxQJG5f tYgrhvTVz0CmhAE2rJQEDleqiPJnM6L0OkSK7O/5jwBbtyc8fM7KIy+WuOUGeQSx4UF3 JKmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=QSJ8YNSU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v2-v6si10294353pge.105.2018.05.02.18.24.18; Wed, 02 May 2018 18:24:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=QSJ8YNSU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751954AbeECBYJ (ORCPT + 99 others); Wed, 2 May 2018 21:24:09 -0400 Received: from mail-qk0-f196.google.com ([209.85.220.196]:36769 "EHLO mail-qk0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751745AbeECBYH (ORCPT ); Wed, 2 May 2018 21:24:07 -0400 Received: by mail-qk0-f196.google.com with SMTP id a202so12793134qkg.3; Wed, 02 May 2018 18:24:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=L/pUePgTWPscW1q23THymCa+Tv0e2symvd75lqihAqM=; b=QSJ8YNSUwCQ1GXE8MGtGameRUcv0V1a/wZJ75c2LZavz+0tCkAR3qpGTZuRQ1zfw1U A99W/xum6xunU5/31LsU1F7KdwarCKj4Tt1EaCVcYEIT6heTSbggiDJWgYoNYLmZCYBV hXdio4eowORv+uX+/eii1WDwL+3DlfCm8wF6Os8R00/fPGI0DoY/RnnmE8jzPKCuAe76 AsHHFxQOfoES0WTeD0Rd1HMLerDaCE4STfA7ecZswwrueCBFUTHECTykhpC4V44pdnok ORmviBQ5m+RvE9oscWe4nmQIzEg2VyD1AtgPE3fGqd1jLNRd8TLeal/syMHGyNwxrfbr UJJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=L/pUePgTWPscW1q23THymCa+Tv0e2symvd75lqihAqM=; b=KTrhcaw/HborHu/qlLJi0GlmKH0Dj5ewNp8+5TdcZCUg/50x96sFqJiAP8NXZM0a82 eiWvMjH42PSa6yIMKF/Oe55C8sH5SvJb5lZHa+dIq1mUplEnE05dM2zeVYNycr7z/FZg yi8IQpPO66rTiugwh6OCrOtcyCbhh0WdfXpk03fRMcv3ITG7BJo16Nutei7zZT8Mh7NJ APGVdN3k3Y+swZYJqR2nvbLKhpUjmcShQL1EweNLxiZz7Inh6+gNlezNkEuSFZ3L6oC/ 3F+vZl/MOoEN2cInao1S1I2Cy0fzc3zfj+3kiVUMvaF20K89JK8yT5fbk3n0wM/ckVmX WSvQ== X-Gm-Message-State: ALQs6tA1N1SQP7k3grAVxVg77IgEuudE+YiVZqDs615nu9flnnI1Iaoj js8ETU9Ov8Eo0IWWbj9cnbI= X-Received: by 10.233.222.133 with SMTP id s127mr2095079qkf.34.1525310646605; Wed, 02 May 2018 18:24:06 -0700 (PDT) Received: from localhost.localdomain ([177.10.56.95]) by smtp.gmail.com with ESMTPSA id h37-v6sm7336168qtc.68.2018.05.02.18.24.05 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 02 May 2018 18:24:05 -0700 (PDT) Received: by localhost.localdomain (Postfix, from userid 1000) id 72037180DFB; Wed, 2 May 2018 22:24:02 -0300 (-03) Date: Wed, 2 May 2018 22:24:02 -0300 From: Marcelo Ricardo Leitner To: Wenwen Wang Cc: Kangjie Lu , Vlad Yasevich , Neil Horman , "David S. Miller" , "open list:SCTP PROTOCOL" , "open list:NETWORKING [GENERAL]" , open list Subject: Re: [PATCH] sctp: fix a potential missing-check bug Message-ID: <20180503012402.GK5105@localhost.localdomain> References: <1525310145-28102-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1525310145-28102-1-git-send-email-wang6495@umn.edu> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 02, 2018 at 08:15:45PM -0500, Wenwen Wang wrote: > In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len > and max_len to check whether it is in the appropriate range. If it is not, > an error code -EINVAL will be returned. This is enforced by a security > check. But, this check is only executed when 'val' is not 0. In fact, if > 'val' is 0, it will be assigned with a new value (if the return value of > the function sctp_id2assoc() is not 0) in the following execution. However, > this new value of 'val' is not checked before it is used to assigned to > asoc->user_frag. That means it is possible that the new value of 'val' > could be out of the expected range. This can cause security issues > such as buffer overflows, e.g., the new value of 'val' is used as an index > to access a buffer. > > This patch inserts a check for the new value of 'val' to see if it is in > the expected range. If it is not, an error code -EINVAL will be returned. > > Signed-off-by: Wenwen Wang > --- > net/sctp/socket.c | 22 +++++++++++----------- > 1 file changed, 11 insertions(+), 11 deletions(-) ? This patch is the same as previous one. git send-email maybe? Marcelo